ci: dedupe stale same-name checks in policy-gate#3242
ci: dedupe stale same-name checks in policy-gate#3242ootakazuhiko wants to merge 3 commits intomainfrom
Conversation
❓ Code Generation Drift DetectionStatus: Automated by AE-Framework Codegen |
CI Status Snapshot (2026-04-23T14:13:21.664Z)
|
Generate Artifacts PreviewGenerated at: 2026-04-18T01:32:57.510Z
|
|
Coverage: n/a | Alerts: none | Formal: n/a | BDD: 3 criteria (Reserve inventory without going negative or double-booking) | LTL sugg: 3 | GWT: 0 | Adapters ok/warn/err=0/0/0 | | Replay: n/a | Trace: Harness Health
Change Package
Change Package Validation
Plan Artifact
Assumptions
Files expected to change
Verification plan
Rollback planRevert the plan-artifact schema, scripts, policy-gate integration, and PR summary wiring. Required human input
Notes
Plan Artifact Validation
|
Progress Summary
|
CodeX Artifacts Summary
|
AE-Spec Validation ReportStatus: ✅ Passed Validation Results
AE-IR Summary
BDD Step Lint (non-blocking)Usecases: 1 Issues: 1
|
KvOnce Trace Validation
|
There was a problem hiding this comment.
Pull request overview
This PR updates the CI policy-gate evaluation to ignore stale same-name status checks by collapsing check entries to the latest run (and extends the policy-input.v1 contract to carry the timing metadata needed to support that semantic), while keeping OPA shadow evaluation aligned and adding regression tests.
Changes:
- Deduplicate
statusCheckRollupentries bytype::nameusingcompletedAt/startedAt(with later-entry fallback) before evaluating required checks and gate checks. - Extend
policy-input.v1schema + sample fixture to includeworkflowName,startedAt, andcompletedAtforCheckRun. - Add unit regression coverage for required-check and gate-check dedupe semantics (including pending/latest logic and timestamp-less fallback).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/ci/policy-gate.test.ts | Adds regression tests covering same-name dedupe behavior across required and gate checks. |
| scripts/ci/policy-gate.mjs | Adds timing metadata to check entries, collapses duplicates prior to evaluation, and emits timing metadata into policy-input.v1. |
| schema/policy-input-v1.schema.json | Extends the contract schema to allow check timing metadata. |
| policy/risk-policy.rego | Mirrors “latest-run” dedupe logic for OPA parity. |
| fixtures/policy/sample.policy-input-v1.json | Updates the sample contract fixture to include the new metadata fields. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e58e001f51
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Quality Gates
|
❓ Code Generation Drift DetectionStatus: Automated by AE-Framework Codegen |
CI Auto RerunWorkflow |
CodeX Artifacts Summary
|
|
レビュー本文とインラインコメントを全件確認しました。
ローカル検証:
個別 thread には返信のうえ resolve します。 |
❓ Code Generation Drift DetectionStatus: Automated by AE-Framework Codegen |
CodeX Artifacts Summary
|
|
追加の CI 状況を確認しました。
観測事実として、この PR の差分は |
Summary
scripts/ci/policy-gate.mjsbefore evaluating required checks and gate checkspolicy-input-v1contract with check timing metadata needed for the same latest-run semanticspolicy/risk-policy.rego) in parity with the JS implementation and add regression coverageRoot cause
policy-gateevaluated every same-name entry instatusCheckRollup. When an olderCANCELLEDrun and a newerSUCCESSrun for the same check name coexisted on one PR head,policy-gatecould fail with a false negative such asrequired check failed: verify-lite.What changed
scripts/ci/policy-gate.mjsworkflowName,startedAt, andcompletedAttype::nameusingcompletedAt -> startedAt -> later array entrypolicy-input-v1policy/risk-policy.regoschema/policy-input-v1.schema.jsonfixtures/policy/sample.policy-input-v1.jsontests/unit/ci/policy-gate.test.tsstartedAtfallback, pending latest run, and timestamp-lessStatusContextfallbackValidation
pnpm -s exec vitest run tests/unit/ci/policy-gate.test.ts tests/unit/ci/risk-policy-gate-check-alignment.test.ts tests/unit/ci/policy-shadow-compare.test.tsnode scripts/ci/validate-json.mjsgit diff --check/tmp/opa version 1.15.2required-check-dedupecase: JS vs OPA snapshot matchgate-check-dedupecase: JS vs OPA snapshot matchAcceptance
policy-shadow-comparepolicy-input-v1contract remains schema-valid with the additional metadataRollback
policy-input-v1shapeCloses #3241